Opened 15 years ago
Closed 15 years ago
#9 closed defect (fixed)
[PATCH] Fix stack and heap buffer overflow in OSRProj4Tokenize()
| Reported by: | rouault | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | libgeotiff | Version: | |
| Keywords: | Cc: |
Description
OSRProj4Tokenize() is vulnerable to malformed input strings : more than 199 tokens, boolean tokens whose length is >= 100-4. A memory leak in case of NULL input strings would also occur.
Attachments (2)
Change History (5)
by , 15 years ago
| Attachment: | OSRProj4Tokenize.patch added |
|---|
comment:1 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 15 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
I re-open the bug as my first fix is not correct. As strncpy does not NUL terminate the buffer if the source string is equal or larger than the provided size, the following strcat can operate out of the buffer...
--> OSRProj4Tokenize_additional_fix.patch
by , 15 years ago
| Attachment: | OSRProj4Tokenize_additional_fix.patch added |
|---|
comment:3 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Second patch applied in trunk (r1639).
Note:
See TracTickets
for help on using tickets.
A slight variation of the patch applied in trunk (r1538).